It is fixed, but a very long process and though you should have the solution in event that it happens again. This was NOT a connections problem, but a virus problem that latched onto Conenctions from an infected computer. It drives me crazy when people just say, “it’s fixed” and not explain how.
Here’s a breakdown of what I did, if you’re not interested then just scroll to the bottom:
I determined the infection was directly related to the Connections plugin some how, as it only happened on pages with that plugin. I noticed it was happening while editing the plugin through WordPress as well.
I knew that the malicious script was being injected into the html/js output of the plugin.
I went through all plugin files, plus the header, footer, and index php files and any JS loaded on those pages.
I found nothing
I checked all of the .htaccess files.
These files were compromised once for me when I first started web design.
I found nothing here as well.
I checked almost all of the remaining js and php files on the site.
Looking for obfuscated script that might be building hidden iframes.
Or for a chunk of code that would echo a malicious script onto the page.
The malware was found on pages like “ocontoareachamber.com/newsandmembers/chamber-members/pg/6”.
Wordpress doesn’t use “pages”, it’s database driven, so it just keeps the info for the page in the DB and then loads it into the specified template (index.php or page.php by default).
It finally dawned on me that the infection could be in the database and that’s why I wasn’t finding it while combing through the files.
That was the issue! There was malicious script injected into the WYSIWYG editors for about 70 of the 128 entries in the Connections plugin. All of the malicious scripts were then stored in the database along with the Bio/Notes that were already there. The scripts could only be seen when viewing the content text, and the Anti-Malware plugins weren’t seeing them all or not seeing any.
I went through and manually removed all of the malicious scripts.
It would have been faster if I had access to the database directly.
I scanned and confirmed the site is clean (using the same resources that said it was infected).
How did it get there?
Since, with that kind of approach, the code could’ve only been added with direct access to the database, or through a computer infected with malware editing those entries. I’m wagering that if malware gained access to the database it would be more devastating. I believe someone was editing the back end while their computer was infected.
Visiting the site gave me “Best Price Ninja” malware on my computer. I believe in order to see the problem fixed completely, people who’ve visited the site since the infection should scan for malware and remove it.
I hope this helps if it happens to someone else.